Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Potential subdomain takeover

Author: Government Digital Service

Last updated: 2025-06-27

Potential subdomain takeover

Impact: High
Common error ID: detectify-potential-subdomain-takeover-using

What this means

A potential subdomain takeover occurs when a subdomain has a CNAME record pointing to a service that no longer responds for that domain.

This DNS misconfiguration can allow a malicious third party to claim the subdomain through the service and take control of it.

In these cases the takeover is listed as ‘potential’ because it is unclear what protections the service provider has in place to prevent a third party taking over dangling resources.

Why this is a problem

Subdomain takeovers pose significant security risks:

  • Phishing attacks – attackers can host malicious content on the subdomain, leveraging the trust associated with the main domain.
  • Data theft – sensitive information can be stolen if users are tricked into interacting with the compromised subdomain.
  • Reputational damage – an organisation’s reputation can be severely damaged if the subdomain is used for malicious purposes.
  • Session hijacking – attackers may be able to steal user session cookies, potentially leading to unauthorised access.

How to check if the problem is still there

Use dig to query the CNAME record for the subdomain.

Example

dig cname subdomain.example.gov.uk +short

subdomain.supplier.co.uk

Check if the CNAME record resolves to a non-existing page. Take the output of the previous command and check for a further CNAME record.

dig CNAME subdomain.example.gov.uk +short

sudomain.anothersupplier.co.uk

Keep following the CNAME chain until you don’t get a response for the CNAME query. When you reach a domain without a CNAME check for an A record.

dig a subdomain.example.gov.uk

If the response is `NXDOMAIN` (Non-Existent Domain), it indicates that the page does not exist on the third-party service.

You may also be able to verify the status of the third-party service by visiting the URL in a web browser to see if the page exists. If the page returns a 404 error or similar, it confirms that the page does not exist. This may not be foolproof as some URLs may only respond to traffic forwarded from a specific previous location.

How to fix it

Remove unused records – delete CNAME records for subdomains no longer in use.

Update active services – make sure all active subdomains are properly configured with the current service provider.

Implement domain ownership verification – when using third-party services, implement proper domain ownership verification methods, or select services where these are available.

Regular audits – conduct periodic audits of DNS records to identify and remove outdated entries.

By addressing these issues promptly, organisations can significantly reduce the risk of subdomain takeovers and protect their digital assets from potential attacks.

References

https://www.twingate.com/blog/glossary/subdomain%20takeover

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now